5.3 Signed and Unsigned Integers

Rules:

5.3.a. Bit-fields shall not be defined within signed integer types.

5.3.b. None of the bitwise operators (i.e., &, |, ~, ^, <<, and >>) shall be used to manipulate signed integer data.

5.3.c. Signed integers shall not be combined with unsigned integers in comparisons or expressions. In support of this, decimal constants meant to be unsigned should be declared with a ‘u’ at the end.

Example:

uint16_t  unsigned_a = 6u;
int16_t	  signed_b   = -9;

if (unsigned_a + signed_b < 4)
{
    // Execution of this block appears reliably logical, as -9 + 6 is -3
    ...
}
// ... but compilers with 16-bit int may legally perform (0xFFFF – 9) + 6.

Reasoning: Several details of the manipulation of binary data within signed integer containers are implementation-defined behaviors of the ISO C standards. Additionally, the results of mixing signed and unsigned integers can lead to data-dependent outcomes like the one in the code above.⁷ Beware that the use of C99’s fixed-width integer types does not by itself prevent such defects.

Enforcement: Static analysis tools can be used to detect violations of these rules.

Footnotes

[7] [MISRA-C] describes problems that can arise from mixing C’s “essential types” at length in its Appendix C and Appendix D.